Data Protection Officer Legal Requirement Under GDPR
The legal requirement to appoint a data protection officer is covered by Article 37 of GDPR. The two articles that follow it, Articles 38 and 39, set forth the details of the position and the tasks of the DPO. Because those GDPR Articles also convey a few requirements of the DPO position, we cover a few aspects from those sections here as well.
Why is a Data Protection Officer a Legal Requirement?
Many large organizations have compliance departments. But these departments have not always been able to ensure that the company is compliant with every legal obligation set forth by government regulations. The compliance officer may not have the resources or personnnel they need in order to fulfill their obligations, they may not have the organizational support to do so, or they may simply not be involved in the process by the business’ other employees. They also may be tasked with a wide array of responsibilities for compliance and not be focused on cybersecurity or data privacy specifically. The GDPR DPO requirement ensures that organization’s engaged in high risk activities have an individual tasked with the knowledge to protect the privacy of the organization’s data subjects and the responsibility to do so.
Who Needs a Data Protection Officer?
The requirement for a data protection officer applies to both controllers and processors that meet certain criteria based on their core activities or processing. There are three subsections setting forth the legal requirement to hire someone for this position. The first applies solely to public authorities or bodies, so we will skip that here given the overwhelming audience of our company are businesses.
Regular and Systematic Monitoring
The first of the two possible requirements that applies to businesses involves businesses where the “core activities … require regular and systematic monitoring of data subjects on a large scale ….” This requirement has three parts:
1. large scale
2. regular and systematic monitoring of data subjects
3. as a core activity of the company.
The second set of companies that need to hire a data protection officer are engaged in processing on a large scale of personal data covered by Article 9 or Article 10. Article 10 covers personal data related to criminal convictions and offenses. Article 9 covers a wide array of personal data that warrants special concerns ranging from personal data revealing race or ethnic origin to genetic data. If the processing of such personal data is occurring on a large scale as a core activity of the company, that the organization must hire a DPO.
Data Protection Officer Qualifications
GDPR requires the data protection officer of a controller or processor to be selected for their professional qualities including expertise in data privacy and the ability to fulfill the tasks required of a DPO. In other words, the individual needs to be able to inform and advise the organizations and its employees about data protection law and practices, monitor compliance with the GDPR and other data protection laws including conducting audits, train staff on GDPR compliance, provide advice on data protection impact assessments, and serve as the point of contact for the supervisory authority.
Organizations may also voluntarily appoint a data protection officer pursuant to Article 37(4) even when one is not required by law. However, a voluntarily appointed DPO must meet the same qualifications and the DPO must be given the same support, duties and responsibilities as if the company was actually required to have a data protection officer. The fact that the organization is not technically required to have someone in the role does not diminish the standards that must be met for the individual or the responsibilities of the organization.
Data Protection Officer Organizational Support
The GDPR in many ways sets the tone for the DPO position internally at the organization. Within the organization, the person must report directly to the highest level of management and is not allowed to be penalized or dismissed for performing their tasks. They must also not receive any instructions regarding the exercise of their tasks concerning personal data and processing operations. In other words, the organization is required to hire an individual with the proper experience, have them report to senior management, and not punish them in any way for working towards compliance.
Organizations with a DPO must involve their officer in all issues concerning the protection of personal data. They need to provide the resources necessary to maintain his or her knowledge in the field as well as the resources to perform the necessary tasks. The organization cannot deny a data protection officer access to what they need to do their job.
If the DPO has other duties beyond the scope of their position as the data protection officer, then the business must ensure that there is no conflict of interest. The goal of the GDPR requirement is to ensure, first and foremost, that the privacy of data subjects is protected. So the conflict of interest requirement ensures that data protection is the top priority for this individual and no other tasks undermine that commitment.
Does Your Business Need a Data Protection Officer?
Consider the Clarip Data Protection Officer as a Service. It will fulfill your obligations under the General Data Protection Regulation and ensure that your organization has the expertise needed to maintain the privacy of the personal data held by your business. Call Clarip at 1-888-252-5653 for a proposal to fill the needs of your organization with respect to this legal requirement of GDPR.
Improve Data Privacy for GDPR or CCPA with Clarip
The Clarip team and enterprise privacy management software are ready to meet your compliance automation challenges. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.
If compliance with the California Consumer Privacy Act is your focus until 2020, ask us about our CCPA software. Handle automation of data subject access requests with our DSAR Portal, or provide the right to opt out of the sale of personal information with the consent management software.
Need to improve your GDPR compliance solution? Clarip offers modular GDPR software that can fill in gaps in your privacy program. Choose from the data mapping software for an automated solution to understanding your data collection and sharing, conduct privacy risk assessments with DPIA software, or choose the cookie consent manager for ePrivacy.
Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.